Essential Linux Account Security & Intrusion Investigation Checklist

Account Security

Details about user information files: /etc/passwd stores account data in the format account:password:UID:GID:GECOS:directory:shell. Example entry:

# Format: account:password:UID:GID:GECOS:directory:shell
root:x:0:0:root:/root:/bin/bash

Common commands to view users:

# View login‑enabled users
cat /etc/passwd | grep /bin/bash
# Users with UID 0 (root)
awk -F: '$3==0{print $1}' /etc/passwd
# Users with sudo rights
more /etc/sudoers | grep -v "^#\|^$" | grep "ALL=(ALL)"

Note: Accounts without passwords can only log in locally.

The shadow file /etc/shadow stores encrypted passwords and expiration information. Example entry:

root:$6$oGs1PqhL2p3ZetrE$X7o7bzoouHQVSEmSgsYN5UD4.kMHx6qgbTqwNVC5oOAouXvcjQSt.Ft7ql1WpkopY0UV9ajBwUt1DpYxTCVvI/:16809:0:99999:7:::

Commands to view current logged‑in users and session duration:

who
w
uptime

Intrusion Investigation

Check recent successful and failed logins using last and lastb. The /var/log/wtmp file records login sessions; protect it from deletion with chattr +a /var/log/wtmp.

List privileged users and disable or delete suspicious accounts:

# Disable account
usermod -L user
# Delete account
userdel user
# Delete account and remove home directory
userdel -r user

Inspect .bash_history for command history. Increase history size and add IP and timestamp:

# Save 10,000 commands
sed -i 's/^HISTSIZE=1000/HISTSIZE=10000/g' /etc/profile
USER_IP=`who -u am i 2>/dev/null | awk '{print $NF}' | sed -e 's/[()]//g'`
if [ "$USER_IP" = "" ]; then USER_IP=`hostname`; fi
export HISTTIMEFORMAT="%F %T $USER_IP `whoami` "
shopt -s histappend
export PROMPT_COMMAND="history -a"
source /etc/profile

Check open ports and processes:

netstat -antlp | more
ps aux | grep 6666
ls -l /proc/$PID/exe
lsof -p $PID
lsof -c sshd
lsof -i :22
kill -9 $PID

Examine startup scripts and runlevels:

runlevel
/etc/rc.local
/etc/rc.d/rc3.d/
update-rc.d backdoor defaults 99

Review cron jobs and their locations:

crontab -l
crontab -r
more /etc/cron.daily/*
find /var/spool/cron/crontabs/root

Search for suspicious files by name, size, modification time, owner, or resource usage:

# By name
find / -name a.Test
# By size (>1000M)
find / -size +1000M
# Modified within last day
find / -mtime -1 -ls
# Files owned by root
find ./ -user root -type f
# Sort processes by CPU or memory usage
ps -ef --sort -pcpu
ps -ef --sort -pmem

Log Inspection

Key logs reside in /var/log/: secure, history, wtmp, lastlog, cron, message, apache2/access.log, etc.

Typical log‑analysis commands:

# Find IPs attempting root brute‑force
grep "Failed password for root" /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr
# List successful logins
grep "Accepted " /var/log/secure | awk '{print $11}' | sort | uniq -c
# Show useradd and userdel events
grep "useradd" /var/log/secure
grep "userdel" /var/log/secure
# Show sudo usage
sudo -l